LONDON (AP) — A European Union privateness watchdog fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation discovered that the video sharing app’s information transfers to China put customers susceptible to spying, in breach of strict EU information privateness guidelines.

Eire’s Information Safety Fee additionally sanctioned TikTok for not being clear with customers about the place their private information was being despatched and ordered the corporate to adjust to the foundations inside six months.

The Irish nationwide watchdog serves as TikTok’s lead information privateness regulator within the 27-nation EU as a result of the corporate’s European headquarters is predicated in Dublin.

“TikTok failed to verify, guarantee and demonstrate that the personal data of (European) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” Deputy Commissioner Graham Doyle mentioned in a press release.

TikTok mentioned it disagreed with the choice and plans to enchantment.

The corporate mentioned in a weblog publish that the choice focuses on a “select period” ending in Might 2023, earlier than it launched into an information localization challenge known as Mission Clover that concerned constructing three information facilities in Europe.

“The facts are that Project Clover has some of the most stringent data protections anywhere in the industry, including unprecedented independent oversight by NCC Group, a leading European cybersecurity firm,” said Christine Grahn, TikTok’s European head of public policy and government relations. “The decision fails to fully consider these considerable data security measures.”

TikTok, whose dad or mum firm ByteDance is predicated in China, has been below scrutiny in Europe over the way it handles private info of its customers amid considerations from Western officers that it poses a safety threat over person information despatched to China. In 2023, the Irish watchdog additionally fined the corporate a whole bunch of hundreds of thousands of euros in a separate little one privateness investigation.

The Irish watchdog mentioned its investigation discovered that TikTok failed to deal with “potential access by Chinese authorities” to European customers’ private information below Chinese language legal guidelines on anti-terrorism, counterespionage, cybersecurity and nationwide intelligence that have been recognized as “materially diverging” from EU requirements.

Grahn mentioned TikTok has “has never received a request for European user data from the Chinese authorities, and has never provided European user data to them.”

Underneath the EU guidelines, often called the Normal Information Safety Regulation, European person information can solely be transferred exterior of the bloc if there are safeguards in place to make sure the identical degree of safety.

Grahn mentioned TikTok strongly disagreed with the Irish regulator’s argument that it did not perform “necessary assessments” for information transfers, saying it sought recommendation from legislation corporations and specialists. She mentioned TikTok was being “singled out” although it makes use of the “same legal mechanisms” that hundreds of different corporations in Europe does and its strategy is “in line” with EU guidelines.

The investigation, which opened in September 2021, additionally discovered that TikTok’s privateness coverage on the time didn’t title third nations, together with China, the place person information was transferred. The watchdog mentioned the coverage, which has since been up to date, failed to clarify that information processing concerned “remote access to personal data stored in Singapore and the United States by personnel based in China.”

TikTok faces additional scrutiny from the Irish regulator, which mentioned that the corporate had supplied inaccurate info all through the inquiry by saying that it did not retailer European person information on Chinese language servers. It wasn’t till April that it knowledgeable the regulator that it found in February that some information had in truth been saved on Chinese language servers.

Doyle mentioned that the watchdog is taking the current developments “very seriously” and “considering what further regulatory action may be warranted.”